/*
 * This file is part of Dependency-Track.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * SPDX-License-Identifier: Apache-2.0
 * Copyright (c) OWASP Foundation. All Rights Reserved.
 */
package org.dependencytrack.tasks.metrics;

import alpine.common.logging.Logger;
import alpine.event.framework.Event;
import alpine.event.framework.Subscriber;
import org.apache.commons.lang3.time.DurationFormatUtils;
import org.dependencytrack.event.VulnerabilityMetricsUpdateEvent;
import org.dependencytrack.model.VulnerabilityMetrics;
import org.dependencytrack.persistence.QueryManager;

import javax.jdo.PersistenceManager;
import javax.jdo.Query;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import java.util.stream.Stream;

/**
 * A {@link Subscriber} task that updates vulnerability metrics.
 *
 * @since 4.6.0
 */
public class VulnerabilityMetricsUpdateTask implements Subscriber {

    private static final Logger LOGGER = Logger.getLogger(VulnerabilityMetricsUpdateTask.class);

    @Override
    public void inform(final Event e) {
        if (e instanceof VulnerabilityMetricsUpdateEvent) {
            try {
                updateMetrics();
            } catch (Exception ex) {
                LOGGER.error("An unexpected error occurred while updating vulnerability metrics", ex);
            }
        }
    }

    private void updateMetrics() throws Exception {
        LOGGER.info("Executing metrics update on vulnerability database");

        final var measuredAt = new Date();

        try (final var qm = new QueryManager()) {
            final PersistenceManager pm = qm.getPersistenceManager();

            /**
             * 
             * The created field has priotiy over the published field, which is used as a fallback
             * However, the created field is always empty (in my instances)
             * But we leave this mechanism and field juggling in place for backwards compatibility,
             * and for (future) analyzers/sources that might provide this field.
             * 
             * BTW the queries to get these vulnerability counts are very fast,
             * so strictly speaking there is no reason to create this extra table with metrics
             *  
             */

            // Get metrics by published date but only if created field is null
            Collection<YearMonthMetric> published = queryForMetrics(pm, "published", "created");

            // Get metrics by created date regardless of value of published field
            Collection<YearMonthMetric> created = queryForMetrics(pm, "created", null);

            // Merge flat lists
            published.addAll(created);

            // Collect into nested map so we can sum the counts
            Map<Integer, Map<Integer, Long>> metrics = published.stream()
            .filter(ymm -> ymm.year != null)
            .collect(Collectors.groupingBy(ymm -> ymm.year, 
                            Collectors.groupingBy(ymm -> ymm.month, Collectors.summingLong(ymm -> ymm.count))));         

            // Flatten again, but now into VulnerabilityMetrics that can be persisted
            Stream<VulnerabilityMetrics> monthlyStream = metrics.entrySet().stream()
            .flatMap(e -> e.getValue().entrySet().stream().map(
                v -> new VulnerabilityMetrics(e.getKey(), v.getKey(), v.getValue().intValue(), measuredAt)));

            // Flatten another time, for the yearly counts
            Stream<VulnerabilityMetrics> yearlyStream = metrics.entrySet().stream()
            .map(e -> new VulnerabilityMetrics(e.getKey(), null, e.getValue().values().stream().mapToInt(d->d.intValue()).sum(), measuredAt));

            qm.synchronizeVulnerabilityMetrics(Stream.concat(monthlyStream, yearlyStream).toList());            

            LOGGER.info("Completed metrics update on vulnerability database in " +
            DurationFormatUtils.formatDuration(new Date().getTime() - measuredAt.getTime(), "mm:ss:SS"));
        }
    }

    private static Collection<YearMonthMetric> queryForMetrics(PersistenceManager pm, String dateField, String expectedNullField) throws Exception {

        // You cannot seem to parametrize fieldnames in JDOQL, so we use String formatting
        // You cannot seem to use aliases with GROUP BY in JDOQL
        // You cannot seem to use IF ELSE with GROUP BY in JDOQL
        // So we end up doing two queries instead of one with an IF ELSE
        String queryTemplate =
            "SELECT %s.getYear() as y, %s.getMonth()+1 as m, count(this) as count " + 
            "FROM org.dependencytrack.model.Vulnerability " +
            "WHERE %s != null && %s == null " +
            "GROUP BY %s.getYear(), %s.getMonth() + 1";

        try (Query<?> query = pm.newQuery("javax.jdo.query.JDOQL", String.format(queryTemplate, dateField, dateField, dateField, expectedNullField, dateField, dateField))) {
            List<YearMonthMetric> flatMetrics = query.executeResultList(YearMonthMetric.class);

            // the flatMetrics list is bound to the Query, so we need to copy it to a new array to survive query closure
            return new ArrayList<>(flatMetrics);
        }   
    }

}
